Level 2


Description:

Users can install software in organizational systems if provided the necessary privileges. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation through policies. Permitted software installations include updates and security patches to existing software and applications from organization-approved “app stores.” Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods, automated methods, or both.  


Priority: High 


Domain: CONFIGURATION MANAGEMENT (CM) 


Services Associated with AWS: 

  • AWS Identity and Access Management (IAM), AWS Systems Manager, AWS Security Hub 


Services Associated with Azure:

  • Azure Active Directory (Azure AD)
  • Azure Endpoint Manager
  • Azure Update Management
  • Azure Security Center
  • Azure App Service
  • Azure Virtual Machines
  • Azure Policy


Objective Evidence: 

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how IT Asset Management (ITAM) is implemented
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Administrative: supporting documentation to demonstrate how Role Based Access Control (RBAC) is properly & securely implemented
  • Technical: screenshot of groups and membership assignment
  • Technical: screenshot of ITAM console 


Possible Technology Considerations:

  • Identity & Access Management (IAM)
  • Secure Baseline Configurations (SBC)
  • Configuration Management Database (CMDB)
  • IT Asset Management (ITAM)
  • Event Log Monitoring
  • Privileged Access Management (PAM)
  • Role Based Access Control (RBAC)


What needs to be answered:

Are user controls in place to prohibit the installation of unauthorized software? Is all other software in use authorized? Are good practices that require user-installed software to only execute in a confined physical or virtual machine environment with limited privileges in place? 


Checks for AWS

  • Control and Monitor User-Installed Software
    Description: This check ensures that organizations have implemented controls to control and monitor user-installed software in their systems. By granting users the necessary privileges, organizations allow software installation while maintaining control over the software installed. Organizations establish policies that define permitted and prohibited actions regarding software installation, including updates and security patches from approved sources. Prohibited software installations may include software with unknown pedigrees or potential malicious software. These policies can be organization-developed or provided by external entities. To enforce these policies, organizations utilize a combination of procedural and automated methods to monitor and control user-installed software.
     


Checks for Azure

  • Implement Software Installation Controls
    Description: This check ensures that organizations have implemented controls to prohibit the installation of unauthorized software by users in Azure. User controls are put in place to restrict software installation to authorized sources and prevent the installation of unauthorized or potentially malicious software. Organizations establish policies that define permitted software installations, such as updates and security patches from approved sources, while prohibiting the installation of software with unknown pedigrees or suspicious origins. These controls help maintain the integrity and security of the systems by ensuring that only authorized software is installed.
  • Enforce Authorization for Software Usage
    Description: This check verifies that organizations enforce authorization for software usage in Azure. All software used in the organization should be authorized, meaning it has gone through the necessary approval processes and meets the organization's standards and requirements. By enforcing authorization, organizations ensure that only authorized software is used, reducing the risk of unauthorized or unapproved software running on the systems.
  • Implement Isolated Execution Environment for User-Installed Software
    Description: This check emphasizes the implementation of an isolated execution environment for user-installed software in Azure. User-installed software should execute within a confined physical or virtual machine environment with limited privileges. By isolating the execution environment, organizations mitigate the potential impact of user-installed software on the overall system. Limited privileges ensure that user-installed software does not have unnecessary access or capabilities beyond what is required for its intended functionality.


More Details:  Users are prohibited from installing software. Must be installed by IT administrators.